Russia’s war on Ukraine is not just being fought with bombs but bytes too, causing nations to now ramp up their cyber defence capabilities.
One country they can learn a lot from is Estonia. The nation, which shares a border with Russia, was one of the first to come under attack from this modern form of hybrid warfare 15 years ago.
Since then, this small nation that has a population of 1.3 million people has built its cyber defence infrastructure and ranks third-best in the world behind the United States and Saudi Arabia, according to the Global Cybersecurity Index (GCI).
Estonia has been occupied twice throughout its history. The last time was by the Soviet Union, from 1940 until 1991. Since then, the country put in all the protections to ensure this could not happen again.
“There was this short opportunity window when Russia was going in, I assume, by our estimates, the right direction. And then we used this opportunity window to join all the possible clubs that we could, which is NATO, which is the European Union,” Estonia’s Prime Minister Kaja Kallas said at a press gathering attended by Euronews Next.
“And then actually, we had people asking us, why do you need this? Because Russia doesn't pose a threat anymore. And we said, ‘we know our neighbour’”.
The February 2022 invasion of Ukraine by Russia has brought back painful memories in Estonia.
“Being in the geographical location where we are, you have two choices: Either to be with the West, to be with Europe or to be with Russia,” Kallas said.
Other countries that have recently followed Estonia’s path and are bidding to join NATO are Sweden and Finland. Asked how Russia could react, Kallas responded: “We are probably going to see cyber attacks. We're going to see some showing of power. But I think that's about it”.
Kallas did not appear too worried about more possible cyberattacks. Perhaps because Estonia already learned the lessons of how to respond to them in the past.
The Bronze Soldier
The story begins in 2007 and comes down to a statue and fake news. The Bronze Soldier was unveiled by the Soviet authorities in 1947 and back then was called the “Monument to the liberators of Tallinn” and sat in the capital.
Russian speakers in Estonia believe the monument represents the USSR’s victory over Nazism but for many ethnic Estonians, the Soviet soldiers were occupiers rather than liberators, and the statue is a reminder of that.
In 2007, the Estonian government moved the Bronze Soldier from Tallinn to the outskirts of the city to a military cemetery.
Protests were then triggered by false claims by Russian media that the statue and Soviet war graves were being destroyed by Estonia’s government.
On April 26, 2007, two nights of riots gripped the capital, over 150 people were injured and one person was killed. A day later, Estonia was hit by cyberattacks, which lasted weeks and took out Estonian banks, government bodies and the media.
Exactly who was behind the attacks is unknown. The cyberattacks came from Russian IP addresses and the government has always denied any involvement.
“It has been called by many experts Web War one and at the time what the effect that had was that we really realised the vulnerability of the digital society and the digital infrastructure that we were building,” Luukas Ilves, Chief Information Officer for Estonia’s Government told Euronews Next.
“It made us aware, maybe some years before the rest of the world, of the risks around cyber attack and cyber insecurity”.
How is Estonia boosting its cybersecurity?
Out of the 2007 ashes came Estonia’s Cyber Defence League, a unit of volunteer cyber defences that was set up a decade ago to help the government face cyber threats.
The volunteers are leading IT experts and donate their time by practising what to do if a service provider is brought down by a cyber attack.
Combing the talents of the private sector is one way Estonia has built up its cyber defence.
“We sort of, I think, had the fairly obvious realisation that if a large part of the security risk to the country today comes from cyberspace, and if a lot of the talent and the ability to deal with those risks is not in government, it's in the private sector, it's individuals in academia and elsewhere,” said Ilves.
“It's a way to increase the capabilities of the government beyond the people we already have working both on the civilian side and in the military on cybersecurity to make ourselves more resilient as a whole”.
Cyber defence is also a priority for the government not just due to the recent war in Ukraine, but because so much personal data is stored online.
Estonia is one of the leading digital nations and a large part of how the public interacts with the government is done digitally, from voting and paying taxes to setting up companies and verifying identity.
The backbone of this digital society is X-Road, a software solution which acts like a distributed government information system and binds together different databases and different organisations.
“If something happens to one part of the system, there is another part of the system that takes over, that everything is backed up into various locations, that you don't have a single point of failure,” Oliver Väärtnõu, CEO of Cybernetica, the company which developed X-Road, told Euronews Next.
Cyberwars and offensive attacks
But something less spoken of is building offensive capabilities.
When the question was put to Estonia’s Prime Minister, she replied: “What I can tell you, because this is a very difficult position. I hear things in the secret rooms that I can't talk about. I would say that we don’t talk about things publicly but going to [cyber] offensive brings about different risks that you don’t put back in a bottle”.
“I can't say we don't and I can't say we do but I would answer that if we do, we are not talking about this,” she added when pushed on the topic.
While governments remain tight-lipped on the issue of cyber offence development, it appears to be an open secret and in Ukraine’s case a necessity.
“I think there is no real secret anymore that governments develop their offensive (cyber) capabilities. And partly why Ukraine has been successful is that they have created this cyber army that is putting on so-called active defence, which is an offensive defence to put it in other words,” said Väärtnõu.
“It's quite common nowadays that countries develop these (cyber) capabilities and use them as well in conflict situations. I've also seen that Europe as a whole, meaning European Defence Agency, etc are looking at kind of jointly developing these capabilities”.
Väärtnõu added that there is now a lot of debate over what cyber conflict means in the legal sense and if NATO’s Article Five of the treaty, which means an attack on one member is an attack on all of them, should be applied in the event of a cyber conflict.
But he notes it is difficult to attribute a cyberattack to an adversary and this is why countries are not saying if they are conducting cyber attacks or building the capabilities.
Estonia’s government sees the development of cybersecurity as a constant investment and says it is always looking at ways to improve and build more complicated systems.
The country also believes it can learn a lot from the war in Ukraine and should keep a close eye on Russian cyber activities.
“I think it's very important to realise that the threat and the risk level in cyberspace as a result of the sanctions and the actions that we have appropriately, all taken collectively against Russia, does mean that they may attempt types of attacks that they haven't previously attempted against various kinds of essential infrastructure in Europe or more broadly, the rest of the world,” said Ilves.
But being a NATO and EU member, Estonia does not see the potential cyber attacks as just an attack on the nation.
“I don't think that Estonia is a particular target there. Rather, we see ourselves as being part of this broader collective target,” said Ilves.